Edward Parker and Michael Vermeer want a contest!
NIST [U.S. National Institute for Standards and Technology] and others in the cryptography community are carefully analyzing several PQC [post-quantum cryptography] algorithms to try to catch any potential vulnerabilities. But it’s almost impossible to mathematically prove the security of most cryptography algorithms. In practice, the strongest evidence for an algorithm’s security is simply that many experts have tried and failed to break it. The more people try to attack the new PQC algorithms and fail, the more likely it is that they are secure.
One possible option for further crowdsourcing the analysis of NIST’s final candidate PQC algorithms would be a contest in which the general public is invited to try to break them. As hundreds of companies that offer public bug bounties have discovered, crowdsourced penetration testing can be a very useful tool for improving cybersecurity. The U.S. Departments of Homeland Security and Defense have also recently experimented with offering bug bounties to anyone who discovers cyber vulnerabilities in the departments’ systems. A public contest certainly can’t replace a mathematical security analysis, but it could be a useful complement that provides additional evidence of the algorithms’ security. [Lawfare]
Parker and Vermeer address and repudiate the usual objections to such a contest, and I tend to agree – let “the public,” a necessarily self-selecting group of mathematicians, both professional and amateurs, have a go at it. Both cash and notoriety will accrue to anyone who actually finds a weakness in any of the algorithms.
And may result in the development of new mathematical techniques and tools. Win-win?
